November 26, 2018 • Amanda McKeon
Our guest today is Jason Kichen. He’s director of cybersecurity services at Versive, a cybersecurity company that delivers advanced threat detection and automation.
Prior to Versive, Jason spent nearly 15 years in the U.S. Intelligence Community as an expert in technical and offensive cyber operations. He was responsible for the design and execution of advanced technical operations all over the world. He has two Director of National Intelligence Meritorious Unit Citations and a National Intelligence Professional Award from the National Counterproliferation Center.
We’ll learn about his experience in the intelligence community, how it differs from the private sector, and the challenges he faced transitioning between the two. We’ll get his take on threat intelligence and how he thinks organizations can build effective security teams.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 84 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Our guest today is Jason Kichen. He’s director of cybersecurity services at Versive, a cybersecurity company that delivers advanced threat detection and automation.
Before joining Versive, Jason spent nearly 15 years in the U.S. Intelligence Community as an expert in technical and offensive cyber operations. He was responsible for the design and execution of advanced technical operations all over the world. He has two Director of National Intelligence Meritorious Unit Citations and a National Intelligence Professional Award from the National Counterproliferation Center.
We’ll learn about his experience in the intelligence community, how it differs from the private sector, and the challenges he faced transitioning between the two. We’ll get his take on threat intelligence and how he thinks organizations can build effective security teams. Stay with us.
I’d say I was nine years old and I had this dream — that sounds ridiculous, but it’s actually true — when I was nine years old, I decided I wanted to be an intelligence officer because I watched The Hunt for Red October when I was sick, home from school for a week. I watched that movie every day for a week and saw Alec Baldwin as Jack Ryan, being an analyst, getting helicoptered onto a submarine, and I thought, “I want to be in a submarine, so I’m going to be an analyst and be an intelligence officer.”
Yeah, I decided back then. My academics and everything from nine years old until I got to college was centered around this. Whatever I have to do, want to do, or think would be the right thing to do to go into that sort of work, to go into the intelligence world. When I got ready to go to college, I left the Southwest deserts and moved out to the East Coast to be closer to the world where I thought intelligence was centered, which turned out to be right, but I didn’t know left from right at that point.
And I started like many others do, which is trying to take the right classes in college, trying to get the right internships, trying to talk to the right people, make the right friends, get the right connections, to start to just learn about the intelligence world. If you want to go into that world, it’s not exactly an open door. You can look at the websites of various agencies and submit resumes and read job descriptions, but it very much comes off as an exclusive club. It’s not so much that way once you get in, but it certainly seems that way from the outside.
I did that for a while and eventually found myself in the right position to get the right internships while I was in college, which led to the right full-time position once I graduated and put me in the world where I wanted to be. My career for the 13 or 14 some odd years from then to now has been quite interesting. I moved around between various disciplines in a couple of different agencies, but not many of them.
I always focused on a couple of key concepts. One was technical operations, which in later years, became specifically cyber operations, and also focused on programmatic building of capabilities, such that we want to achieve some particular objective, and we have a series of resources, people, technology, capabilities, money, et cetera. How do you put those things together into a coherent program to execute in a certain way that achieves a particular objective and generates a specific thing? That process has been very constant throughout my career and thus, as I progressed in my career and became more senior and had more responsibility and got to do more things in various parts of the organization with higher levels of visibility, it was building bigger and bigger things for bigger and bigger impact in front of a more senior audience.
That was all well and good, right up until the spring of … Let’s see. It’s 2018 now, so it’d be the spring of 2017, where my wife and I decided for various reasons — some obvious, some less so — that it was time to leave the federal government and time to leave that world entirely. Part of that was, if I’m going to leave and do something else, I want to do it in a different part of the world.
We had been on the East Coast for a very long time because of my career, and not being in the federal space, either as a staffer or contractor, meant we could almost live and work anywhere. Then, for a love of the outdoors and rainy, cloudy days in the Pacific Northwest, we decided that we’d stay in the cybersecurity industry — which is, of course, what I still do now — and settled out here in beautiful Seattle.
Versive, the company that I’m currently at, is solving a unique problem in the cybersecurity space, and that’s what led me here. I think the reality for former federal people — employees or contractors — of the federal government that are leaving that space, is that you don’t leave that space with a marketable skill set. You may be very good at your job and have very good and unique skills, but the government doesn’t really sign on to lots of certifications and formal training, at least in a large sense, so that you could be a really good program manager, but you don’t have a PMP.
You can be fantastic at cybersecurity but not have all those certifications. So, us leaving the federal space, coming into — especially in cybersecurity — coming into the private sector, the skill set is a little odd, the resume is extremely vague and lacking in detail, so it can be hard to figure out where you land in the private sector. Where can you have an impact and continue to do good, important work when you look — certainly on paper, and ultimately, in person — very different from the traditional security, leadership, or expertise that lives in the private sector? Through all of those sorts of challenges, I found myself, or specifically aimed for, and landed here at Versive.
Now, from your time in the intelligence community, what are some of the things that you wish people had a better understanding of? Are there common misperceptions about the types of missions and the types of works that go on within the intelligence community?
Oh man. The misconceptions and the problems with what people think actually goes on is a never-ending thing. In fact, from the inside, it’s always frustrating, because you watch what’s said on the news and shown in Hollywood, and you shake your fist at it and say, “Man, if people only knew what it was really like.” For better or for worse.
Now, in the private sector you look at it and say, “How do I get that message out?” Podcasts like this and other mechanisms, how do I get that information out so people understand what the reality is? I think the biggest one, in my opinion, would be this perception of illegality, that intelligence agencies, whether it’s CIA, NSA, or even FBI, are out there doing whatever they want, whenever they want to, with little to no oversight, and marauding around, collecting everyone’s data and doing with it whatever they wish.
When I do public speaking, when I speak at cybersecurity conferences, one of the things I harp on is the legal compliance to the intelligence world, and how many lawyers exist in the intelligence world and in an intelligence agency, and how deep down they go. It’s not as if they’re an office of general counsel at the very top. That certainly does exist, but that office of general counsel has its lawyers deployed to the deepest levels of the organization to ensure that every operation we’re running — offensive operations, defensive things, people out in the field, technical collection programs, cyber, humans, SIGINT, all those sorts of things — are going through armies of lawyers to ensure that the operations that we’re executing are along the lines with policy, with law, with the Constitution.
That’s one of the misperceptions that I think the public at large has, very much based on the way the movies and media portray it. The reality is, it’s a little bit more mundane.
It’s interesting. In some of the conversations I’ve had with former intelligence community folks, they made the point that if someone does accidentally cross a line or even do something that may be questionable, that it is a real hassle and pain to have to go through all of the steps and the paperwork and the dealing with lawyers, just to document something like that. It’s not something people are out there doing willy nilly.
Not even remotely so. In fact, far more time is spent with various lawyers and policymakers ensuring that what we’re doing not only meets the standards of the organization, and not only meets the goals we want to achieve, but simply meets not only the legal, but the “who we are as Americans,” right?
I know the intelligence world has this aura of, “They do things in the dark that you didn’t really know that they would be doing and you wouldn’t want to know what they’re doing,” but by far, the majority of the work that goes on is right in line with what we believe and espouse as Americans and American citizens, and what our ideology is in that regard.
The crew ups, the things that people do wrong or get in trouble for, the intelligence community and the agencies are staffed by human beings, and those human beings will make mistakes. But given the stakes at play here, given the things that are going on and the implications of those things, when those mistakes happen, there is a lot of paperwork and a lot of lawyers and a lot of policy guidance and a lot of things you have to do. That’s just the nature of any government, right?
I think in the intelligence world, it’s probably magnified because of the stakes or the implications of what they’re doing.
Yeah, it’s really an interesting insight. I want to touch on what the transition was like for you to go from the government side of things, where you’re doing offensive work, into the private sector, where I suspect your work is much more defensive.
That is exactly right. From 100 percent offense to 99-and-three-quarters percent defense. The transition was, to be completely frank, it was hard. It’s hard on many levels. I think it’s hard on levels, separate from cyber and offense and defense, just going from the federal government to the commercial space is challenging and is a challenge in and of itself. But specific from offense to defense, when I left, one of the reasons why I left and one of the guiding lights for me coming out of the government and into the private sector was, I had been, as part of my offensive work, I had insight and ability to see what other actors are doing to the United States, to companies in the United States, to government agencies in the United States.
That was part and parcel of my work. So, coming into the commercial sector was … I’ve spent so many years on the offense now, I want to lend to the unique expertise that I’ve picked up in that regard, now to the defensive side. In the United States at least, because of the nature of our system here, the defensive posture is almost entirely on the private sector’s shoulders. The government bears not too much responsibility for the defensive side.
That transition at the high level was not terribly hard. I think the bigger challenge is, how do I take the information that I have and the knowledge that I have, and get a private sector entity, company people, et cetera, to really understand that? Because it’s hard to translate, right? Basic things like terminology are weird and different and acronyms are weird and different, but at a higher level, the frame of thinking is really different, right?
My world was nation-states and existential threats to networks and large, big, impactful things. In the commercial world, it may be something as “simplistic” as, “How do I keep all of this coin mining malware out of my network?” That’s a bit of a different problem, and how you marry those two things together has been one of the more challenging transitions for me. Understanding that priority set, and how do I translate between my background and my knowledge, and what the commercial sector tends to care about the most.
Did you experience any culture shock in terms of what you had at your disposal, in terms of resources, and analysts, and expertise — things like that?
Definitely culture shock. Not so much because of the resources, I would say. The resource allocation … The resource picture is different, but not necessarily better or worse. I mean, you have the basic stuff like, if I need to hire somebody, I can hire someone or I can get approval to hire someone and hire them in days. Unlike the government where I’m arguing for billets and budget, and a very long, drawn out process to bring people onboard. And things like security clearances which take forever to get in place.
The private sector obviously doesn’t suffer from those same sorts of things, so there’s certainly red tape and bureaucratic inertia, but nowhere near the level that the government tends to experience. I think the biggest difference is that I’m able to move a lot faster in the commercial world. There’s less stuff in the way, right? I think, to get back to your question about legal implications and lawyers, I don’t have to take as much care on the legal side in the private sector as I had to do on the government side.
That’s not to say that we don’t follow legal regulations right and have a general counsel. We certainly do. It’s more that I don’t have too many concerns right now that the activity that I’m engaged in may or may not violate the Fourth Amendment to the Constitution. That’s something in the government I had to worry about and I had to work with my lawyer to understand. How does the nature of this operation we’re proposing potentially cause a Fourth Amendment violation? Versus the private sector, where it’s a much different corporate legal perspective.
Now, what have you seen in terms of the evolution of the adversaries out there? What are you seeing from that point of view?
I think perhaps the most fascinating is that there was a time before I was in the commercial sector, I mean years ago, where if you were to describe cyber adversaries, you’d have three main bullets. There’d be the nation-state actor at the top, and obviously, that bullet gets stratified in and of itself, and you have various levels of nation-states, but nation-states are best of the best, cream of the crop, that sort of deal.
Beneath that you have organized criminal elements, and then the third bullet would be hacktivists, ideologically-driven actors. Not for profit, not for intelligence collection, but just to make a political point. Those were the stratification of it, that was the hierarchy that we always dealt with.
Now, those bullets are a little bit more blurry. The reality, of course, is that each one of those bullets can act and look like any one of the other bullets. That used to be more of a one-directional thing. A nation-state could make themselves and their operations look like a criminal element or a hacktivist, right? It’s good for if you want to drive misattribution, or a false flag, or something like that.
But now, with the leak of tools and capabilities on the internet, with the knowledge of how to execute more sophisticated and fancier operations becoming more widely dispersed and available on the internet, you have less-sophisticated actors, or previously less sophisticated, who are now able to uplevel much faster and execute at a level of sophistication that is much higher than we would have expected.
That poses an interesting problem for enterprises, because for a time, from a defensive perspective, if you needed to secure yourself against nation-state APTs, that was a particular brand of security that you needed and resource allocation that you needed for security. If you didn’t, and you instead focused on opportunistic cybercrime, then that was a different sort of security posture that you needed to have in place.
Now, though, you have opportunistic cybercrime that’s executing with sophistication, that’s approaching or at the level of nation-states, and that poses a real problem from the chief information security officer level, of how do I build a security paradigm in my enterprise network that can meet the level of threat that I faced? Not because I only faced one threat or another, but because now the whole spectrum is a potential threat to me, and I have to align myself against that.
Adversaries, getting smarter, getting better? Certainly, but I think the more important point is that across the spectrum, they’re able to up level their capabilities with far more ease now than they were 10 years ago.
Let’s talk about threat intelligence. What is your take on it? What part do you think it plays in an organization’s ability to protect themselves?
I’m a big believer in threat intelligence, and of course, I say that from the aspect of the fact of my intelligence background, right? Not commercial threat intelligence as it is, but my intelligence background lends me to believe that understanding your adversary and who your adversary is and how they operate, and what their objectives are, allows you to inform better on your defensive posture, and how you posture yourself. Your network, your organization, your people.
I think the challenge that commercial entities have, though, is that threat intelligence is more than just a slide put up on a C-Suite presentation once a month to say, “According to our intelligence feed, this is the latest APT coming after us, or this is what organized criminal elements are doing from a tactics perspective, and thus, how I must spend money or buy products or hire more people.”
Threat intelligence needs to be integrated better into a detection posture, and a mitigation and incident response posture inside of an organization. From my perspective, I think threat intelligence has two levels. There’s the strategic: “Who are the actors targeting us and what do we know about them?” And everything that we would need to know about them. And then the tactical: “How do I take the data points related to those actors and integrate them into my detection and engineering frameworks so that my threat intelligence team knows that some APT or fuzzy, snuggly duck is targeting me, but how do I take our knowledge of what fuzzy, snuggly duck does and integrate something like those indicators into our firewall configurations, into our endpoint detection and response posture, into our incident response framework?”
That’s the real challenge that threat intelligence faces. Basically, to break it down to the most basic level, to show business relevance.
How do you dial that in? How do you dial in the budgeting for that? How do you interact with how much you do in-house, how much you contract out of house? How do you turn those knobs?
Yeah, that’s a hard problem. I think the answer to that question is more specific to the environment. Because it’s possible that the people making those decisions that you have to convince won’t be believers at all, and you’re going to have to start from scratch, convince them why they should. I think to do that well, you need people that not only understand what they’re talking about — former intelligence professionals out of the civilian or military side are good at that sort of thing — but more importantly, know how to communicate the information.
That’s really, I think, what the best answer to your question is. How do you turn those knobs? How do you make those decisions? You need people that not only understand the discipline and the value of it, and the business value, but can translate that into CEO-speak, right? Into words and pictures and sentences and bullet points that senior leadership — likely non-security related — understands to then get the budgets and resources that you need.
Outsourcing it versus running it in-house, I think there’s probably a mixed component there. I think the answer to that gets back to the breakdown between strategic and tactical threat intelligence. I think there’s things that you can do, for example, with IOC feeds coming out of some third-party provider, which is just a list of IP addresses and domains, and email addresses, and file hashes, right? Just very, very tactical indicators.
I think those sorts of things can probably be acted upon, brought in-house, and acted upon in-house relatively easily with the right personnel. The more strategic stuff is a little bit harder, because it’s one thing to have someone pull an IP address out of a file and put it into a configuration or to automate that process, but it’s different for a person to be able to look at what a particular nation-state actor is doing or what their objectives are, and figure out how that meshes with what their organization does from a business perspective, and how those two things come together, and then, what that threat picture looks like.
That’s the sort of thing where, I think there’s some amount of outsourcing that can be valuable, whether it’s buying the feeds from the outside, or having external entities help you define that picture. Because that skill set is a little bit more specific and nuanced, and is in my experience, a little bit rarer in the commercial world.
What are your recommendations for folks who are trying to take this on, for folks who are trying to get started with threat intelligence? Any tips for them?
I think the most important tip would be understand the business use case. From my background, I, of course, have a natural personal interest in what nation-state actors are doing, because that’s the world that I come from. I have an interest in what organized criminal elements are doing, because that’s what my customers care about at the tactical level.
But to build these programs and drive them to be successful in large commercial organizations, you need to be able to show the business justification for the work that you want to do, and then the money and the resourcing and the people, and all the facets that go along with it. It’s not good enough to talk about how interesting it is, and how cool it is, and how valuable it is in a generalized way. What’s critical is to say, “If I know that particular actor sets are acting in a particular way with particular tactics and tools and technologies, how do I take that information and make it business justifiable? How do I put it into the business case so that I can talk to the CEO and the CSO or the CISO, and justify the program I want to build and the capabilities I want to bring onboard?”
This is something the security world generally struggles with. Not just threat intelligence, but the security world at large, where we fail a lot of the time to talk to the business case for the work that we want to do. We tend to focus only on the security case. That’s because we’re often spending time in the weeds, and we’re very excitable people, and we really love what we do, and we’re very interested in it.
But ultimately, the people making the decisions and providing your budgets and justifying your existence are not security people. They are very likely VP- or C-Suite-level people who don’t know anything about security, and just know that they need to have it, but they’re going to rely on you to explain to them why they do need it. That communication becomes extremely key, so for folks looking to get involved with threat intelligence or to build those programs, or to make them larger, my recommendation … First tip to stand out is understanding how it fits into the business case for your organization, and then know how to talk about it in that contextual framework.
Our thanks to Jason Kichen from Versive for joining us.
If you enjoyed this podcast, we’ll hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.